For Cybersecurity, Prevention First, But Don’t Forget About the Treatment
By Terry Edwards
Cyber-attacks are nothing new. We’ve all seen the attacks on major retailers, entertainment giants, and financial institutions. Healthcare is gaining attention as the next industry under attack since cyber-criminals are finding unprecedented value in patient health records.
A patient record can sell for $50 to $150 per record on the black market, more than a credit card number or a Social Security number. This gives buyers the ability to impersonate patients using all the personal information included in a health record to commit identity fraud or even obtain prescription drugs. In 2014, a record number of healthcare providers were hacked and a number of high-profile healthcare breaches have already made headlines in 2015.
The healthcare industry is taking these attacks seriously and working hard to protect itself against potential threats. However, it’s becoming more difficult for healthcare providers to ensure the continued integrity of patient data. Not only are hackers growing more advanced and nimble, but the number of vulnerabilities in the system is only increasing as the industry moves to population health management.
Care delivery is not quite as contained as it used to be. Patients can be treated in a variety of settings as their care teams grow in size. In addition, more types of devices are collecting and sharing patient data, offering more entry points for cyber-criminals to infiltrate. Healthcare organizations are also dealing with tight IT budgets, which in some cases only cover what’s necessary for regulatory requirements.
While it’s critical for healthcare organizations ramping up IT defenses to protect the data of their patients, to avoid a breach, organizations need to get back to the basics by focusing on the following:
- Develop an internal security committee to conduct a formal risk assessment and identify any areas at risk for a data breach. The committee needs to have the backing of the highest levels of the organization to demonstrate the commitment to protecting patient data.
- Following the risk assessment, the committee should develop an organization-specific risk management strategy to include processes, procedures, tools, and technologies.
- Educate the staff on the new processes and procedures. Implementing new procedures can be the biggest challenge for organizations. It’s not enough to deliver one training session and assume employees are following protocols. Instead, organizations must provide employees with frequent reminders to flag suspicious emails, keep their passwords protected, and encrypt any communication with protected health information.
- Reassess risk ongoing to make sure employees are following the appropriate processes and procedures and to identify any new vulnerabilities within the system. Cyber-criminals are constantly using new methods to find weaknesses in the system, so healthcare organizations must stay on their toes to keep technology up to date.
Even with the strongest security protocols in place, sometimes a cyber-criminal can find a way through. The experience of other industries shows that while customers …read more